b'              U.S. Department of Energy\n              Office of Inspector General\n              Office of Audit Services\n\n\n\n\nAudit Report\n\nManagement Controls over the\nFederal Energy Regulatory\nCommission\'s Unclassified Cyber\nSecurity Program - 2006\n\n\n\n\nOAS-M-06-10                         September 2006\n\x0c                              Department of Energy\n                                  Washington,         DC 20585\n                                 September 25, 2006\n\n\n\n\nMEMORANDUM FOR THE EXECUTIVE DIRECTOR, FEDERAL ENERGY\n               REGULATO Y COMMISSION\n                                  ,                             -x,\nFROM:                    Rickey k. ~     a    k\n                         Assistant Inspector General\n                           for Financial, Technology and Corporate Audits\n                         Office of Inspector General\n\nSUBJECT:                 INFORMATION: Audit Report on "Management Controls over\n                         the Federal Energy Regulatory Commission\'s Unclassified\n                         Cyber Security Program - 2006"\n\nBACKGROUND\n\nThe Federal Energy Regulatory Commission (Commission) has developed and\nimplemented a number of information systems to support its mission of regulating the\nnatural gas industry, hydroelectric projects, oil pipelines, and wholesale rates for\nelectricity. Because of the increasing frequency and sophistication of cyber attacks, the\npotential for malicious intrusion and damage to these information technology assets and\nthe information they contain continues to grow. During 2006, the Commission estimated\nthat it spent almost $1 million to protect its $27 million information technology\ninvestment from cyber related threats. The importance of maintaining a robust cyber\nsecurity program is well demonstrated by the debilitating effects that recent attacks on\nFederal organizations have had on mission performance, agency reputation, and on\nconstituents that have been subjected to compromise of personally identifiable or\nsensitive data.\n\nAs required by the Federal Information Security Management Act (FISMA), and\nconsistent with Congress\'s desire to develop a comprehensive framework to protect the\ngovernment\'s information technology operations and assets, the Office of Inspector\nGeneral is required to perform an annual independent evaluation of the Commission\'s\ncyber security program. This evaluation is designed to assess the adequacy and\neffectiveness of information security policies, procedures, and practices, and compliance\nwith the requirements of the FISMA. This memorandum and the attached report present\nthe results of our 2006 evaluation.\n\nRESULTS OF EVALUATION\n\nThe Commission has continued to strengthen its cyber security program and has\ncompleted corrective action on several issues identified during our previous review. In\nparticular, the Commission:\n\n\n                               @      Pnnled wnh soy mk on recycled paper\n\x0c       Improved configuration management procedures by ensuring that software\n       updates were applied and users had only the access privileges necessary to\n       perform their duties; and,\n\n       Enhanced its system for tracking cyber security related corrective actions to\n       resolution.\n\nAlthough these actions are noteworthy, our evaluation disclosed several opportunities to\nimprove the effectiveness and decrease the risk associated with the Commission\'s cyber\nsecurity program. Specifically, we observed that:\n\n       While problems with access controls associated with strong password\n       management had declined since our 2005 evaluation, testing revealed continuing\n       problems with default, blank, or easily guessed passwords, and user account\n       controls; and,\n\n       Security assessments performed in connection with system certification and\n       annual security reviews had not been properly executed or were not adequately\n       documented for each of the four systems we evaluated.\n\nThese vulnerabilities existed because the Commission had not ensured that certain\naspects of its cyber security program conformed to either Federal or Commission\nrequirements or guidelines. Weaknesses such as the ones we discovered detract from the\noverall effectiveness of the Commission\'s cyber security program and potentially expose\nits information technology resources and data to compromise. As indicated above, we\nbelieve that the Commission\'s overall cyber security posture has improved, however,\nadditional work is necessary to ensure that its information and systems are properly\nprotected from the threat associated with unauthorized or malicious access by insiders. In\nthat connection, we have made several recommendations designed to aid management in\nachieving that goal.\n\nDue to security considerations, information on specific vulnerabilities has been omitted.\nHowever, management officials have been provided with detailed information regarding\nidentified vulnerabilities, and according to management officials, corrective actions have\neither been completed or initiated.\n\nMANAGEMENT REACTION\n\nManagement concurred with each of our recommendations and indicated that it had taken\ncorrective action to address each of the problems identified in the report. While\nmanagement recognized that password weaknesses increase the risk of compromise, it\ndid not believe that the problems we identified were significant. We disagree and note\nthat a knowledgeable insider could have exploited the problem passwords - introducing\nviruses, worms or other malicious programs that could have damaged the Commission\'s\nsystems. Management\'s comments and our responses are summarized in the body of our\nreport. Management\'s comments, in their entirety, are included in Appendix 3.\n\nAttachment\n\x0ccc:   Chief of Staff\n      Chief Information Officer, .IM-\n                                    1\n\x0cREPORT ON MANAGEMENT CONTROLS OVER THE FEDERAL\nENERGY REGULATORY COMMISSION\'S UNCLASSIFIED CYBER\nSECURITY PROGRAM - 2006\n\n\n\nTABLE OF\nCONTENTS\n\n              Cyber Security Program\n\n              Details of Finding ...................................................................1\n\n              Recommendations...................................................................4\n\n              Management Reaction and Auditor Comments......................4\n\n\n\n              Appendices\n\n              1. Objective, Scope, and Methodology..................................7\n\n              2. Related Audit Reports........................................................9\n\n              3. Management Comments ..................................................11\n\x0cCYBER SECURITY PROGRAM\n\nRisk Management and   Our evaluation disclosed that the Federal Energy\nControl Procedures    Regulatory Commission (Commission) had made\n                      improvements in its cyber security program and had\n                      corrected previously reported weaknesses. Specifically, the\n                      Commission improved its configuration management\n                      procedures to ensure that only current software versions\n                      were used and that user access privileges were restricted to\n                      the least level required for job performance. The cyber\n                      security corrective action management process had also\n                      been modified to ensure that all vulnerabilities and\n                      weaknesses were identified and tracked to resolution. In\n                      spite of these efforts, several opportunities exist to improve\n                      the effectiveness of the Commission\'s cyber security\n                      program as it relates to access controls and security\n                      assessments.\n\n                                            Access Controls\n\n                      We continued to find that controls over passwords were not\n                      always effective. The Commission policy related to\n                      passwords requires, among other things, that passwords\n                      must be in place for all systems and that they must be\n                      unique, difficult to guess, and a minimum length of eight\n                      characters. Passwords are a critical element of computer\n                      security and provide the basis for controlling access and\n                      establishing accountability by identifying and\n                      authenticating users. However, our testing revealed that\n                      easily guessed, blank, or default passwords existed on\n                      several of the Commission\'s systems. This condition, first\n                      reported in our Evaluation Report on the Federal Energy\n                      Regulatory Commission\'s Unclassified Cyber Security\n                      Program-2005 (DOE/IG-0704), continued to exist despite\n                      action taken by Commission officials to correct the\n                      problem.\n\n                      In addition, we also observed that controls designed to\n                      discover and suspend access for inactive accounts were not\n                      always effective. The Commission\'s Unused Accounts\n                      Standard Operating Procedures require that unused network\n                      accounts be disabled after 90 days of inactivity to reduce\n                      the risk of unauthorized system access. However, our\n                      testing revealed that 20 network user accounts remained\n                      active even though they had not been used for almost a\n                      year. Management explained that delays in removing\n                      inactive network accounts were largely due to an\n\n\n________________________________________________________________\nPage 1                                            Details of Finding\n\x0cCYBER SECURITY PROGRAM\n\n                      incomplete validation process for the identified accounts\n                      prior to their intended disablement. They stated that the\n                      validation process involved receiving confirmation from\n                      the Commission\'s Administrative Officers, which had not\n                      occurred for the accounts we identified.\n\n                                         Security Assessments\n\n                      Security assessments performed in connection with system\n                      certification and annual security reviews had not been\n                      performed properly or were not adequately documented for\n                      each of the four systems evaluated. Annual security\n                      assessments, required by Office of Management and\n                      Budget (OMB) guidance, determine the extent to which the\n                      security controls are implemented correctly, operating as\n                      intended, and producing the desired outcome. Specifically,\n                      the assessments did not evaluate the level of effectiveness\n                      of many of the 36 critical control elements specified in\n                      National Institute of Standards and Technology (NIST)\n                      requirements. Consideration of critical elements, such as\n                      those in place to plan for contingencies; to prevent\n                      interception of data; and to respond to incidents, had been\n                      omitted. For example, one assessment measured the\n                      effectiveness of only 2 of the 36 critical elements, while 2\n                      other assessments only measured the effectiveness of 7 and\n                      9 elements, respectively.\n\n                      We also identified problems with properly preparing and\n                      updating assessments prior to re-certification of systems\n                      that had previously been provided with authority to operate.\n                      For example, management officials told us that, while they\n                      had performed the required assessment for one of the\n                      agency\'s systems, they had not documented it and could not\n                      provide information necessary for us to evaluate the\n                      sufficiency of the procedure. Officials also had not\n                      properly updated self-assessments to reflect the required\n                      supporting security controls prior to granting systems with\n                      continued authority to operate. For one assessment,\n                      officials indicated that 61 percent of the required controls\n                      were not applicable without explaining why, and in another\n                      case either totally excluded or did not explain why 79\n                      percent of the required controls were not necessary.\n\n\n\n\n________________________________________________________________\nPage 2                                            Details of Finding\n\x0cCYBER SECURITY PROGRAM\n\nProgram               These vulnerabilities existed, in part, because the\nImplementation and    Commission had not ensured that certain aspects of its\nOversight             cyber security program conformed to Federal requirements\n                      and guidelines. Specifically, continued access control\n                      problems were a direct result of configuration controls that\n                      were not applied in accordance with the Commission\'s own\n                      requirements and the guidelines set forth by NIST. In\n                      addition, the Commission\'s annual system security review\n                      process was not performed in accordance with OMB\n                      requirements and did not address all of the critical control\n                      elements as defined by NIST requirements.\n\n                      Information technology management officials told us that,\n                      rather than conforming to OMB requirements, they chose\n                      to adopt their own approach to certification and\n                      accreditation that was better suited to the size and limited\n                      resources available to their organization. They believed\n                      that after considering the risk associated with their systems,\n                      it was appropriate to omit certain steps required by NIST\n                      guidance when re-certifying the Commission\'s systems for\n                      operation. Rather than specifically considering each of the\n                      NIST-prescribed critical security elements, these officials\n                      relied instead on self-assessments performed by system\n                      owners, a review and update of the system risk assessment\n                      by the certification agent, system owner, and other\n                      stakeholders to establish a basis for re-accrediting systems.\n\n                      While we did not attempt to determine whether departure\n                      from NIST guidance was appropriate or advisable in any\n                      circumstance, we believe that because of the deficiencies\n                      and omissions from the original assessments performed on\n                      these systems such approach was not appropriate and\n                      increased the risk associated with their operation. As\n                      previously noted, many of the 36 NIST-prescribed critical\n                      security elements had not been considered when these\n                      systems were initially authorized to operate. As such, the\n                      assessments did not provide assurance that systems security\n                      controls were in place and operating as intended nor did\n                      they provide a sufficient basis for the accrediting official to\n                      either authorize the system to operate or accept residual\n                      risks.\n\nOperational Impacts   Although the Commission\'s overall cyber security posture\n                      had improved, information resources remain vulnerable.\n                      As a result, the information and systems that support the\n\n\n\n________________________________________________________________\nPage 3                                            Details of Finding\n\x0c                     Commission\'s missions and business activities could be at\n                     risk of compromise. For example, weak passwords and the\n                     failure to identify and disable unused accounts could result\n                     in unauthorized access to Commission information\n                     resources by malicious users. Inadequate evaluation of\n                     system security controls to thoroughly verify the\n                     implementation of security controls could also result in\n                     undetected information security weaknesses that may\n                     hinder the Commission\'s effort to effectively secure its\n                     systems.\n\n\nRECOMMENDATIONS      Weaknesses identified during the course of our evaluation\n                     were discussed with Commission officials and actions were\n                     taken to resolve certain problems identified. However, to\n                     improve cyber security within the Commission, we\n                     recommend that the Executive Director take action to:\n\n                        1. Ensure that procedures are implemented for\n                           securely configuring the Commission\'s systems by\n                           (a) prohibiting the use of easily guessed, blank or\n                           default passwords that do not adhere to NIST\n                           guidelines; and, (b) correcting systems with\n                           improperly configured security settings for various\n                           network services;\n                        2. Review and update the procedures relating to\n                           unused network accounts to enforce the\n                           identification and removal of inactive accounts in a\n                           timely manner; and,\n                        3. Ensure that the annual security review processes,\n                           used to support the certification and accreditation of\n                           systems, thoroughly address the critical control\n                           requirements defined by NIST.\n\n\nMANAGEMENT           Management concurred with our findings and\nREACTION             recommendations, but offered clarifying remarks.\nAND AUDITOR          Management\'s proposed and stated actions are responsive\nCOMMENTS             to our recommendations. In reference to specific\n                     comments, management reaction and auditor comments\n                     follow:\n                     Recommendation 1: Ensure that procedures are\n                     implemented for securely configuring the Commission\'s\n                     systems by (a) prohibiting the use of easily guessed, blank\n\n________________________________________________________________\nPage 4                                Recommendations & Comments\n\x0c                     or default passwords that do not adhere to NIST guidelines;\n                     and, (b) correcting systems with improperly configured\n                     security settings for various network services.\n\n                     Management Comments: Management stated they\n                     confirmed that there were nine accounts identified as\n                     having blank or weak passwords. They added that these\n                     were local accounts without network access and only two\n                     of these accounts provided any elevated privileges to the\n                     computer. They also noted that only a small percentage of\n                     the Commission\'s passwords were found to have\n                     vulnerabilities.\n\n                     Auditor Response: We identified a total of 12 blank or\n                     weak passwords, including 9 that could have permitted\n                     access to the Commission\'s file servers. Of the nine blank\n                     or weak passwords, one of the blank password accounts\n                     had an attribute which indicated it was an account with\n                     elevated privileges. Two other accounts with blank\n                     passwords were system administrator accounts -- accounts\n                     highly vulnerable to exploits. As noted by management in\n                     their comments, even a small number of accounts whose\n                     passwords are not compliant with organizational policy,\n                     represent a security issue. For example, gaining\n                     unauthorized access via blank or weak passwords could\n                     allow a user to compromise systems by installing a trojan,\n                     which is a malicious program disguised as or embedded\n                     within legitimate software; or a keylogger, which captures\n                     the user\'s keystrokes, providing a means of obtaining\n                     unauthorized information.\n\n                     Management Comment: Management indicated that in\n                     order to exploit any of these local accounts, a perpetrator\n                     must have either authorized access to the Commission\'s\n                     internal network protected by Microsoft\xc2\xae Active Directory\n                     or physical access which would require the circumvention\n                     of three increasingly restrictive physical layers of defense,\n                     using an authorized badge. They stated that the only way a\n                     person without foreknowledge could have discovered the\n                     existence of these particular local accounts would be to\n                     scan the network and that any internal scanning process\n                     would have been detected by the Commission\'s Intrusion\n                     Detection System.\n\n                     Auditor Response: We agree that these accounts are most\n                     vulnerable to knowledgeable insiders \xe2\x80\x93 an increasing threat\n\n________________________________________________________________\nPage 5                                Recommendations & Comments\n\x0c                     to information technology assets in both Federal and\n                     private sector organizations. The audit tests that revealed\n                     these password weaknesses were specifically designed to\n                     evaluate the "insider threat" associated with an employee or\n                     someone who is permitted access to the facility. This\n                     scenario assumes the user has network access and that\n                     through exploitation of vulnerabilities is able to escalate\n                     their assigned level of privileges. Furthermore, although the\n                     Commission runs an Intrusion Detection System,\n                     exploitation of the vulnerabilities we identified and the\n                     infliction of potential damage may have been possible prior\n                     to detection by the incident response team.\n                     Recommendation 3: Ensure that the annual security review\n                     processes, used to support the certification and\n                     accreditation of systems, thoroughly address the critical\n                     control requirements defined by NIST.\n                     Management Comment: Management stated they believe\n                     they complied with the guidance in NIST SP 800-26 for\n                     annual security reviews, but added that they acknowledge\n                     that its administrative documentation did not appear to\n                     satisfy the IG\'s definition of acceptable artifacts. They\n                     noted they follow system certification and annual security\n                     review processes that balance risk and cost and, when\n                     appropriate, leverage security assessment activities already\n                     performed during the course of the fiscal year. They also\n                     stated that these processes incorporate enterprise and\n                     system scans, contingency plan testing, and security test\n                     and evaluation of technical controls.\n\n                     Auditor Comment: We are gratified that management, in\n                     response to our recommendation, had taken action to\n                     complete updates to its self-assessments. Our report does\n                     not take issue with the Commission\'s systems certification\n                     and annual security review methodologies. However, as\n                     we noted, both the systems certification process and the\n                     annual security review process relied on NIST SP 800-26\n                     system self-assessments that failed to consider most of the\n                     36 critical control elements specified in NIST requirements.\n                     Reporting guidance for the FISMA, issued by the OMB,\n                     requires that annual security reviews be performed in\n                     accordance with specific NIST requirements.\n\n                     Management\'s comments are included in their entirety in\n                     Appendix 3.\n\n\n\n________________________________________________________________\nPage 6                                Recommendations & Comments\n\x0cAppendix 1\n\nOBJECTIVE             In accordance with the Federal Information Security\n                      Management Act of 2002 (FISMA or the Act), the Office of\n                      Inspector General (OIG) performed an independent\n                      evaluation to assess the adequacy and effectiveness of the\n                      Commission\'s information security policies, procedures,\n                      and practices, and compliance with the requirements of the\n                      Act.\n\n\nSCOPE                 The evaluation was performed between July and September\n                      2006 at the Commission in Washington, DC. Specifically,\n                      we performed an evaluation of the Commission\'s Fiscal\n                      Year 2006 unclassified cyber security program. The\n                      evaluation included a review of general and application\n                      controls in areas such as entity-wide security planning,\n                      access controls, application software development, change\n                      controls, segregation of duties and service continuity. Our\n                      work did not include a determination of whether\n                      vulnerabilities found were actually exploited and used to\n                      circumvent existing controls.\n\n\nMETHODOLOGY           To assess the adequacy and effectiveness of the\n                      Commission\'s information security policies and practices,\n                      we:\n\n                         \xe2\x80\xa2   Reviewed Federal statutes and guidance applicable\n                             to ensuring the effectiveness of information security\n                             controls over information resources supporting\n                             Federal operations and assets such as FISMA\n                             guidance and OMB Circular A-130, Appendix III,\n                             and NIST standards and guidance;\n\n                         \xe2\x80\xa2   Reviewed the Commission\'s overall cyber security\n                             program to evaluate the adequacy and effectiveness\n                             of information security policies, procedures, and\n                             practices, and compliance with the requirements of\n                             FISMA;\n\n                         \xe2\x80\xa2   Assessed controls over network operations to\n                             determine the ineffectiveness of safeguarding\n                             information resources from unauthorized internal\n                             and external sources;\n\n\n\n\n________________________________________________________________\nPage 7                             Objective, Scope, and Methodology\n\x0cAppendix 1 (continued)\n\n                         \xe2\x80\xa2   Performed our evaluation in conjunction with our\n                             annual audit of the Commission\'s Financial\n                             Statements, utilizing work performed by KPMG\n                             LLP (KPMG), the OIG\'s contract auditor. KPMG\'s\n                             efforts included analysis and testing of general and\n                             application controls for systems as well as\n                             vulnerability scanning of networks; and,\n\n                         \xe2\x80\xa2   Analyzed OIG reports issued between 2003 and\n                             2005 and reviewed other audits and evaluations\n                             performed by the Government Accountability\n                             Office (GAO) and OMB.\n\n                      We evaluated the Commission\'s implementation of the\n                      Government Performance and Results Act of 1993 related\n                      to the establishment of performance measures for\n                      unclassified cyber security. We did not rely solely on\n                      computer-processed data to satisfy our objectives.\n                      However, computer assisted audit tools were used to\n                      perform probes of various networks and devices. We\n                      validated the results of the scans by confirming the\n                      weaknesses disclosed with Commission officials and\n                      performed other procedures to satisfy ourselves as to the\n                      reliability and competence of the data produced by the\n                      tests.\n\n                      The evaluation was conducted in accordance with generally\n                      accepted government auditing standards for performance\n                      audits and included tests of internal controls and\n                      compliance with laws and regulations to the extent\n                      necessary to satisfy our objective. Accordingly, we\n                      assessed internal controls regarding the development and\n                      implementation of automated systems. Because our review\n                      was limited, it would not necessarily have disclosed all\n                      internal control deficiencies that may have existed at the\n                      time of our evaluation.\n\n                      An exit conference was held with Commission officials on\n                      September 20, 2006.\n\n\n\n\n________________________________________________________________\nPage 8                             Objective, Scope, and Methodology\n\x0cAppendix 2\n\n                           RELATED AUDIT REPORTS\n\n\n  \xe2\x80\xa2   Information Security: Federal Agencies Show Mixed Progress in Implementing\n      Statutory Requirements (GAO 06-527T, March, 2006). GAO reported that in its\n      Fiscal Year (FY) 2005 report to Congress, Office of Management and Budget\n      noted that the Federal Government had made progress in meeting key\n      performance measures for information security; however, uneven implementation\n      of security efforts has left weaknesses in several areas. The FY 2005 reports\n      submitted by the agencies presented a mixed picture of Federal Information\n      Security Management Act of 2002 (FISMA or the Act) implementation in the\n      Federal Government. In their FY 2005 reports, 24 major Federal agencies\n      generally reported an increasing number of systems meeting key information\n      security performance measures, such as percentage of systems certified and\n      accredited and percentage of contingency plans tested. Nevertheless, progress\n      was uneven. For example, the percentage of agency systems reviewed declined\n      from 96 percent in 2004 to 84 percent in 2005. GAO further reported that Federal\n      entities can act to improve the usefulness of the annual FISMA reporting process\n      and to mitigate underlying information security weaknesses.\n\n  \xe2\x80\xa2   Evaluation Report: The Federal Energy Regulatory Commission\'s Unclassified\n      Cyber Security Program - 2005 (DOE/IG-0704, October 2005). While the\n      Federal Energy Regulatory Commission (Commission) continues to make strides\n      toward improving its unclassified cyber security program, our current evaluation\n      revealed several problems that have the potential to put the Commission\'s systems\n      at risk. These problems were found in the areas of access controls, configuration\n      management, and corrective action reviews. These problems existed because the\n      Commission had not consistently performed compliance evaluations required by\n      Federal and organization-specific security directives. As a result, the\n      Commission\'s systems were at risk of disruption of operations, modification or\n      destruction of sensitive data or programs, or theft or improper disclosure of\n      confidential business information.\n\n  \xe2\x80\xa2   Evaluation of the Federal Energy Regulatory Commission\'s Cyber Security\n      Program 2004 (OAS-L-04-21, September 2004). Despite making improvements\n      in its unclassified cyber security program, the Commission had not completed\n      contingency planning, risk management, and certification and accreditation of\n      systems. Although the Commission used the National Institute of Standards and\n      Technology (NIST) risk assessment methodology as required by FISMA, it had\n      yet to finalize a risk assessment methodology tailored to its needs - a key step in\n      determining current security vulnerabilities within an organization and\n      implementing mitigating controls. Additionally, at the time of the evaluation the\n      Commission had only completely tested one of its five system-level contingency\n      plans. Successful completion of these ongoing initiatives should help correct\n      remaining cyber security problems at the Commission.\n\n\n________________________________________________________________\nPage 9                                        Related Audit Reports\n\x0cAppendix 2 (continued)\n\n\n  \xe2\x80\xa2   Evaluation of the Federal Energy Regulatory Commission\'s Cyber Security\n      Program 2003 (OAS-L-03-21, September 2003). The evaluation of the\n      Commission\'s unclassified cyber security program reported that significant\n      progress was made in resolving weaknesses reported during the 2002 evaluation.\n      However, plans for maintaining or resuming critical operations in the event of an\n      emergency or disaster had not been completed.\n\n\n\n\n________________________________________________________________\nPage 10                                       Related Audit Reports\n\x0cAppendix 3\n\n\n\n\n________________________________________________________________\nPage 11                                     Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\n________________________________________________________________\nPage 12                                     Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\n________________________________________________________________\nPage 13                                     Management Comments\n\x0c                                                             IG Report No. OAS-M-06-10\n\n                       CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of\nits products. We wish to make our reports as responsive as possible to our customers\'\nrequirements, and, therefore, ask that you consider sharing your thoughts with us. On the\nback of this form, you may suggest improvements to enhance the effectiveness of future\nreports. Please include answers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the audit would have been helpful to the reader in understanding this\n   report?\n\n2. What additional information related to findings and recommendations could have\n   been included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s\n   overall message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the\n   issues discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should\n   we have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector\nGeneral at (202) 586-0948, or you may mail it to:\n\n                           Office of Inspector General (IG-1)\n                                 Department of Energy\n                                Washington, DC 20585\n\n                              ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Judy Garland-Smith (202) 586-7828.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n            U.S. Department of Energy Office of Inspector General Home Page\n                               http://www.ig.energy.gov/\n    Your comments would be appreciated and can be provided on the Customer Response Form\n\x0c'